Within the past year, the U.S. has adopted two parallel legal frameworks aiming to address the national security risks of transactions involving sensitive personal data: the Protecting Americans' Data from Foreign Adversaries Act of 2024 and the U.S. Department of Justice's Data Security Program. While the two regimes share a common objective — protecting U.S. sensitive personal data from access or misuse by foreign adversaries — they regulate different entities and operate under markedly different structures. For U.S. entities engaging globally, distinguishing between these frameworks is essential.
The DSP is a regulatory program created under Executive Order 14117. It is administered by the DOJ and applies to a broad range of U.S. persons and transaction types. It sets volume-based thresholds for covered data and allows certain data transfers to proceed if security, contractual and diligence requirements are met. The PADFAA, by contrast, was enacted by Congress. Enforced by the Federal Trade Commission, it applies only to data brokers but prohibits transactions of any volume.
Both instruments reflect a growing trend in data regulation, where geopolitical considerations increasingly shape cross-border data practices.
PADFAA: Scope and core prohibitions
Effective as of June 2024, the PADFAA applies to "data brokers" and prohibits certain data transactions absolutely without any risk-based exceptions or mitigation mechanisms. More specifically, it prohibits any data broker from selling, licensing, renting, trading, transferring, releasing, disclosing, providing access to or otherwise making available “personally identifiable sensitive data” of a U.S individual to a “foreign adversary country” or to any entity controlled by a foreign adversary.
The PADFAA defines a data broker as "an entity that, for valuable consideration, sells, licenses, rents, trades, transfers, releases, discloses, provides access to, or otherwise makes available data of United States individuals that the entity did not collect directly from such individuals to another entity that is not acting as a service provider." The definition has various exclusions, including transfers to another entity that acts as a service provider.
However, entities engaged in aggregating, enriching or distributing third-party data should evaluate whether they fall within this definition. "Sensitive data" includes Social Security numbers and other government-issued identifiers, biometric information, precise geolocation, financial account details, health data, private communications, account or device log-in credentials and a range of other demographic and behavioral data.
"Foreign adversary country" under PADFAA is defined by statute and currently includes China, Iran, North Korea and Russia.
By contrast, the DSP applies not only to data brokerage transactions but to a broad range of other U.S. persons, a term that includes both companies and individuals. It regulates data flows not only to the four countries covered by the PADFAA but also to Cuba and Venezuela, as well as to any others designated by the U.S. attorney general in the future as a "country of concern."
The PADFAA's prohibitions apply regardless of the volume of data involved. Unlike the DSP, where there are thresholds for bulk transfers, under the PADFAA the transfer of a single data record to a foreign adversary country or adversary-controlled entity may constitute a violation. No mitigation measures, technical safeguards or contractual terms can render a prohibited transfer permissible. This formulation includes technical access, such as through dashboards, APIs or other remote systems.
In contrast, the DSP allows for certain restricted transactions, subject to prescribed safeguards. These include cybersecurity measures consistent with Cybersecurity and Infrastructure Security Agency standards, documented due diligence procedures and contractual controls.
This difference in regulatory philosophy is central. The PADFAA leaves no room for interpretation once its definitions are met. The DSP, on the other hand, relies on a compliance model based on risk assessment and mitigation.
Definitions of sensitive data: Comparing PADFAA and DSP
The PADFAA regulates “personally identifiable sensitive data,” with the term “sensitive data” defined in the statute. The DSP regulates “sensitive personal data,” defined as “covered personal identifiers, precise geolocation data, biometric identifiers, human `omic data, personal health data, personal financial data,” with each of those terms being separately defined in the regulation. The result is a complicated crosswalk, summarized in the table below.
PADFAA | DSP |
Government-issued identifier | Full or truncated government identification or account number. |
Demographic or contact data, such as first and last name, birth date, birthplace, ZIP code, residential street or postal address, phone number, email address or similar public account identifiers. | |
Any information that describes or reveals the past, present or future physical health, mental health, disability, diagnosis or healthcare condition or treatment of an individual. | Personal health data. See detailed definition at 28 CFR 202.241. |
A financial account number, debit card number, credit card number or information that describes or reveals the income level or bank account balances of an individual. | Full financial account number or personal identification number associated with a financial institution or financial services company; personal financial data, defined at 28 CFR 202.240. |
Biometric information | Biometric identifiers are defined at 28 CFR 202.204 as measurable physical characteristics or behaviors used to recognize or verify the identity of an individual. This includes facial images, voice prints and patterns, retina and iris scans, palm prints and fingerprints, gait and keyboard usage patterns enrolled in a biometric system and the templates created by the system. |
Genetic information | Human `omic data, defined at 28 CFR 202.224. |
Precise geolocation information | Precise geolocation data, as defined at 28 CFR 202.242 |
An individual's private communications, or information identifying the parties to such communications or pertaining to the transmission of such communications. | Device or hardware-based identifier, such as IMEI, MAC address or SIM card number; advertising identifier, like Google Advertising ID, Apple ID for Advertisers or other mobile advertising ID; network-based identifier, such as IP address or cookie data; call-detail data, such as customer proprietary network information. The definition of "sensitive personal data" specifically excludes personal communications. |
Account or device log-in credentials or security or access codes | Account-authentication data, such as account username, account password or an answer to security questions. |
Information identifying the sexual behavior of an individual. | |
Calendar information, address book information, phone or text logs, photos, audio recordings or videos, maintained for private use by an individual. | |
A photograph, film, video recording or other similar medium that shows the naked or undergarment-clad private area of an individual. | |
Information revealing the video content requested or selected by an individual. | |
Information about an individual under the age of 17. | |
An individual's race, color, ethnicity or religion. | |
Information identifying an individual's online activities. | |
Information that reveals the status of an individual as a member of the Armed Forces. | The DSP regulates any sensitive personal data, regardless of volume, that a transacting party markets as linked or linkable to current or recent former employees or contractors, or former senior officials, of the U.S. government, including the military and intelligence community. |
Any other data that a data broker sells, licenses, rents, trades, transfers, releases, discloses, provides access to or otherwise makes available to a foreign adversary country, or entity that is controlled by a foreign adversary, for the purpose of identifying the types of data listed in the foregoing categories. |
Making data 'available' or providing 'access'
Both regimes cover a broad range of activities , encompassing conduct or practices that could provide access to or otherwise make available personally identifiable sensitive data of a U.S. individual to either a designated foreign adversary country or an entity controlled by one.
Under the PADFAA, providing access through an interface, platform, dashboard, API or any other mechanism that allows a foreign adversary-controlled entity to retrieve or interact with the data may be enough to make an entity a data broker, so long as the "for valuable consideration" element of the definition of data broker is met. This interpretation has implications for organizations that rely on subscription-based access models. A data broker that does not sell data but permits technical access or programmatic retrieval under license will still fall within the statute. This places particular importance on recipient screening and the implementation of robust access controls.
Comparing other key features
The PADFAA and the DSP both aim to reduce foreign access to sensitive U.S. data, but they do so through entirely different legal instruments.
The PADFAA applies only to entities meeting the definition of data broker. The DSP applies to any U.S. person, including both companies and individuals, who engages in covered data transactions, which include not only data brokerage but also access because of vendor arrangements, employment relationships, investment partnerships or joint ventures. Also, while the PADFAA definition of data broker is limited to entities processing third-party data, that is, data that the data broker did not collect directly from the individual to whom it pertains, the DSP data brokerage restrictions apply not only to third-party data but also to first-party data — data that the disclosing person collected directly from the individuals to whom it pertains.
While the PADFAA prohibits data broker disclosures of even one data point, the DSP’s application is limited to "bulk" data, defined through numerical thresholds, and government-related data of any volume.
The PADFAA is a direct statutory prohibition. It does not allow restricted transactions, nor does it include any compliance mechanism that would permit certain transfers to proceed. Once a recipient is identified as a foreign adversary country or controlled by a foreign adversary, the broker must not make data available, regardless of any technical, contractual or policy safeguards that may be in place. In contrast, the DSP provides a pathway for lawful transactions in limited circumstances.
While the PADFAA restricts data flows to four countries — China, Iran, North Korea, and Russia — the DSP covers six: the four in the PADFAA plus Cuba and Venezuela.
There are also differences in how control is assessed. Under the PADFAA, an individual or entity is considered controlled by a foreign adversary if it is an individual or entity domiciled in, headquartered in, having its principal place of business in or organized under the laws of a foreign adversary country; if it is an entity in which persons controlled by a foreign adversary directly or indirectly own at least a 20% stake; or if it is a person subject to the direction or control of a person controlled by a foreign adversary. Although similar in many respects, the DSP uses a 50% ownership threshold. Under both regimes, the inclusion of indirect ownership requires covered persons to examine their customer base and contractual chains with precision.
Finally, the PADFAA has no implementing regulations or agency commentary. Unlike the extensive FAQs and compliance guide issued by the DOJ on the DSP, the FTC has not provided public guidance on enforcement expectations, scope or definitions. This leaves compliance teams to assess and apply the statute without any additional formal direction. The absence of administrative guidance does not reduce compliance obligations. Legal and compliance professionals must interpret key terms such as "provide access," "make available" and "control" using standard principles of statutory construction.
Enforcement mechanisms and penalties
The PADFAA violations are enforced by the FTC as unfair or deceptive practices under Section 5 of the FTC Act. Penalties include civil fines, injunctions and other remedies. The statutory language does not provide safe harbors or affirmative defenses once a prohibited transfer is made, and each individual data transfer may be treated as a separate offense.
In contrast, the DSP allows for civil and criminal penalties, but it evaluates compliance based on the presence or absence of good faith efforts, due diligence and adherence to technical standards, reflecting the risk-based structure of that program.
Enforcement priority
Statements from agency leadership indicate how seriously regulators view the sale of sensitive personal data to certain foreign actors. At the IAPP Global Privacy Summit 2025, U.S. Federal Trade Commissioner Melissa Holyoak indicated priorities of the FTC. Among them was for the FTC to "leverage (their) existing statutory authorities," like the PADFAA, to prevent the purchase of U.S. sensitive personal data. She also noted that "in the future there may be opportunities (for the FTC) to partner with the Department of Justice" as it enforces the DSP.
Handling the risk
The PADFAA is structurally simple but operationally demanding. Its limited scope — restricted to data brokers and four named jurisdictions — is offset by the breadth of its prohibition. It imposes a clear embargo upon data brokers with limited exceptions or compliance pathways. Once the statutory elements are satisfied, the transfer is unlawful.
The lack of guidance, narrow scope, and strict enforcement posture set the PADFAA apart from the more layered framework of the DOJ's DSP. The DSP's compliance model permits more discretion, but also imposes obligations of documentation, diligence and risk evaluation.
For organizations subject to both the PADFAA and the DOJ's Data Security Program, it is critical to distinguish their obligations. The two frameworks share a strategic policy goal but differ in form, substance and compliance architecture. Proactive protocols, contractual safeguards and screening procedures for vendors, employment and investment relationships will be necessary to reduce risk as organizations need to select suitable tools, establish sufficient security architecture and train relevant personnel. Luckily for most, they will not be starting from scratch. Many organizations will be able to adapt their current compliance programs to incorporate vendor screenings, data flow approvals, senior sign-off, regular data mapping and record keeping into already structured governance practices.
Cheryl Saniuk-Heinig, CIPP/E, CIPP/US, is a former research and insights analyst at the IAPP and Jim Dempsey is the managing director for the IAPP Cybersecurity Law Center.